Scanning & Reconnaissance Challenge 2 - Scandiego

Prompt

We followed a person dressed in red through a strange portal. Shortly after entering the portal, they abandoned their computer. There’s a sticky note identifying the computer hostname as manager. Let’s hook up to it with our kali machine and see what we can find!

Answers

Q1 (10 pts) - What language is manager set to use?
Answer format: language_region.encoding en_AU.UTF-8

Q2 (10 pts) - What city does manager claim to be running in?
Sydney

Q3 (15 pts) - On manager, what is the lowest UDP port that is running? Hint: Start scanning beyond port 3000
5353

Q4 (15 pts) - What service is running on the lowest open UDP port? (same port from question 3)
mDNS

Q5 (15 pts) - What name does the service group for this service advertise on the network?
Globetrotter

Q6 (15 pts) - What two service types are advertised in the service group from question 5?
Format: type1, type2 NOTE: This question only allows maximum of 2 attempts, you have 2 attempts remaining. ssh, http

Q7 (20 pts) - The service is advertising a flag. Can you find it?
SKY-VILE-8610

Steps I Took

I started by pinging the hostname manager to get the IP address. 10.5.20.132

I then ran:

nmap -sC -sV manager

Q2 — The answer was in the output from that command as well.

Q3 — I then used the following UDP scan:

nmap -sU -p 3000-10000 manager --min-rate=1000 -T4

For Q4, I first answered zeroconf, but the challenge expected mDNS.

For Q5 through Q7, I originally planned to use Avahi, but the container did not have internet access, so I could not install it.

I then searched for an Nmap script that could enumerate DNS service groups and found this one in the Nmap documentation: https://nmap.org/nsedoc/scripts/dns-service-discovery.html

nmap -sU -p 5353 --script=dns-service-discovery manager

That script gave me the remaining answers I needed.